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AtetiMt 

Fmd eadym afddd ryamn Im bmn dorm te be pam/de 
tknudr da Imdopmm e/ e eedeajen tf Jdaeoen d ked apawOMg 
— — cdkd * comatmmeie ra. Tkt amaawmM aa eppaadi Imdi <■ 
a mem madmd Jhr the kmii"fremmkm tf fad t okra m a e H 
(BT) Jbda by tet m am aa eS aroaeaa tkimem 
Rem da eorUitmeM ML The ackeamea tf ryaem fiad tekremee a 
0am m ^k e ka ip avmdme e etaatmaat m eamdUaa mad /eadag 
dai da earndkOa a a ce mmmaa m. Tbe t mrna tm m em m 

amta Oam be tkrmm to be ataake M Foatck apfOemiem by aipftyima 
a aatbadu pvduct amek tf ba demema, aad te parke m mma u 
ttrmne ad err jeaua tiem u a a fom dot aa. Tka paper apttka daat 
aekaquea la aacro ^ tet a aor mtndkra aoaato traaakrm a typed earn- 
ad ayaam baa a diddy atodt/dd ttraom wkeb la paata k be ueak- 
ptafi tfke da dtparmae tfea BT JbuO. da bdmee a t dap tfdaap- 
lam It mob tka ramial rmam to tbe popee tv or d d/aftkn a 
eaaaed. aaaamiag ao penmaete ^da texaa. 

A taedd (xieaimam aa camdUrer k fatad foe tbe 90S5 CFV 
midt aa acttampartyiaa poof tbat tka eoaalmmeM aa. Tka aa k da 
kula rf eratb ptmf dap Jbr tbe 808S atkropacaaa; tbe aame 
appoaeb eaa ba aptded ta ttba aikTopoce a aen. 


iBtndactla 

Ooaaimeim aa theory ana first de>«kiped [11 to beoer 
uad et ia nl the effects oo dititil systms which penurtuioa by I/T 
&uits csn jrod'jcT- The sp^sosch conoeoznies sneniinn to the 
upset level, where s y sm a fuactiaa is of pmae coaoem. When the 
operaoco of the sysum cu be compieiely desoibed in lenns of a 
finite Kt of mutually exclusive fiincooml siaKs, ooverin^ all ponsi- 
bie mnrfcr funciiona, Una set of fiinctioaBl sutes is le fa i e d to aa 
the eoraaimaM aa. All possibie system states muK cuim func> 
iWwi operation of one of the of the cnrsiinment bl 

This Bt must include all poBibie valid funaiooal tasea of tbe 
Gtult-free lyBon. but this aet must iodtalB invalid futKtical 
n«i. not explicitly inm the qrtm but inn which tbe 

sysBza an ortenheleB be driven by a ga na i eiK . h ana ahown in 
111 how protaahiliaiic modelioc aaS anatyaa of a cooiral aystem’t 
needy ataie r e ap ooa e to tranaieflc bults can be nade (h«n a eon- 
taimeni aet, that a auiable fotra for containmea aet elements in 
mkroproaesBr controllers is tbe proirani loop, and how gr rarra is 
loopt (err o neo u s ooniainmea Bt efcmer a a ) can reaulL The 
modelioc and anaJyas ideas are cmrralinxl in [21 

Tbe procram loop exnmplet of [I] aerw as simple exampks 
iadicsiinc bow a ootsauxnent Bi can be framnd. Tbe task of 
a tiling all poasibie kmp sirucnies which a miooprooesaor coo- 
troUtf out support is hsrallnd in this paper. 


• Tkt faxarcb mea atppoeted by NASA Gfmrt NSG 1 442 . 


Opiet Theecy AjpBrt to Mknpneaaaer Ceatnllcn 

The diciiel aynems of imenat are mioo ta oceaBr oonsroUeca. 
These corsmllers lypicnlt r rtwtM of rae ^in^ coma boerd. aad 
cnraain the CPU. seveaJ Uinunnrt bgm of for te o f t eiu 
storace; aetcnl hundred bysea of RAM for data sunce, and I/O 
devices. Picviousty dewelaped UiecBT is appind to tbeB syaaems in 
preparation for the ewnuUnn of dash-proof twvm tw dmign rules. 

The piapoB of this Bctinn is m produce a fimn Bt as a caa- 

for ^ mirtinpr n r* a m r mwirnller COtSSinmenl ft. anti (0 

prove ihei h ia indeed a c o ni ainrartK aet. To ec hi ev e ihit coal, the 
ideas of: loop lei; enooeous ioopc ROM leactiet mechaniaB; me- 
dal ttan deBctcr SAFE ROM; ptociam nuenirec path divenen; 
loop sntjciure type* im;a o pef subtoutiiBC and STACIC WALL are 

intrnr^unwrj . 


Cantatanant Sat fTiararrrrliatkn 

The drfinirifin of a uBful containooem ki k the key to the 
ptacncnl ub of tbe devdopod theory. Tbe ooeuinaient Bt de- 
mena must defttw? csiBrailer fumiccn. Tk: functioas of miooptt>- 
ceascr bued Aeagre ate dwermiinad by the appUcanon procram. 
The cotuxol procram is as mudt a pan of the comrolier >ia*ic" as 
are the hardware details, aixj acy useful approach to c«i»it amlysis 
of such systems should be expyxied to tale inm acxDum the partk- 
uiar application procram. For these reesona, Uie ootuainmeot m 
approach to the understandinc of I/T fault rdationahipi in 
miooproocaaor corsroUen not only indudea. but innmaicly 
irrt^vea, the applimiian procram. There fore, the hardware *an- 
leni* cannot he anaiyBd inrirpendemly from tbe aofraere; for the 
hardware is not the vstem — the hardvere in oonjuncticn with the 
software is the real 'system.' 


Proctams 

Fat mkroprooesaor oaonoilets, procraina can be rififimt u 
one of two types: ihoB which exit slier and thoB which 

mrairaifxely loop. An aOiag papmA performs some calculation, 
or p erfor m s some funcuon, and then terminaJes. A kep popwn, 
or simply loop, it a procr am which has the ca^biliiy of loopum 
iodefitaely and the loop b (L) is the aa of all poanbie loops 
drfinrrl by a |h«n orsaem. Under tome ermchftnna, the p rocr siu 
may lerrmnaie. but unleaa it lerminaies under all possible conUi' 
tion^ it is dassifteri as a procram loop. A luop oocjam uaually 
metators inputs or proo esa c s input data and uansfers results to the 
output. Often, a loop moraiors some iicnii condition, waitinc for 
arTTval of some specified naie before exit- In the foilowu^ 
only iocp proa ai us will be rnmirtered. This is not particulaiiy tB- 
iricthc for miiropraoeaaor conuoUers, p roe sjs rramt r j 

software 0] is such that rnosi often cnnimiler pxitnrat are 
loopa. Alw\ a Qurober of esitinc t aocr a ms executed in aequeOK 
can result in a sincle loop procram. 
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WiihiD ihss fnmcMsrk of • mxToprocetMV coatroUei. the 
loop pnipams are natural choces for funcaoaal ieve! profiam 
tiaiea. A pragran) loop ttefinrt I/O relanooships. The proocs&ng 
heia«en the readuig at input aemcai and the wtitint «> tytusB 
acnmion aea the tyfiBv ntsfer funciiotL If a loop conoina no 
outputf, the I/O relainoahip nsduoea to the otvial. The operaikaml 
naiut of the ootitroila' can be ptco as a sprrifirahoo of the partx- 
ular loop lao g a ni aarenily u.aler ranctnuai Mofeo«cr, in adcfi* 
boo to valid loop prognnis that are eapbdUy whiten for the appli- 
canrm, there can be erroneous embedded loops to aduch the sj^sem 
can be driven by a oanBeoi fault. The loop ret is then the coliec- 
bon of all valid and errocKOus loop programs. Before returning 'i 
these erroneous loops, the inieracboo berareen tr«fwnr &ults arai 
the loop set aoU be diarusard. 

Given that the controller is earcuiing some lcx>p program, 
L, € {I.}, upsets can be chaianeniBd in three ways: 

Qoss 1 UpatL- Data Chanif. A transsni fault is said to ;n>- 
duce a data change upset adien that &ult changes data values being 
transferred and/or stored, but loop program L, nraainm-* to he exe- 
cuted. 

Qgg 2 Upaa: nvfum AsfgL A iranneix bull is mid to pro- 
duce a program bump upset adien that Cult causes a temporary 
divergeraz from kxrp program L,, but the cooiro'L.< rteixually 
returns to that pr o gra m. 

C3os i Upaa: Pt v ^ a m TmnsiioiL A transient bull is «»i«t to 
produce a (aogta.’r: tranairm upset when that buh the cot>- 

troder to jusp ftrxs the exearuon of L. to the execubco of 

L;€(L), taaj. 

The data change utneis and ts e g r a m bump upsets are the 
leas wgnifirxm of L're three upset classes hmitsT ibetr effeos on 
the conirolier's operabon are tem p er a rr, and the oooiroller itself 
either awinirv or reOffTs within a fiae time lo the execuiicxi of 
the pro p er loop nrogram. In many control appikiboiB, such as 
tbue in which a mrminiral device is being operated, te rn p er a ry 
data changes or program bumps usually occur ai a rate exceeding 
the device's capadty to icspoixt On the other harxl, a p rogra m 
nnsibco upset resulbng foe a tiansenr bul: is a steady sare 
operabooal deviabon which can have most serious OQOsequenoes. 
Indeed, the result of a traisibao inm an eirooccais embedded Icnp 
is usually referred to as a system crash. These ceznmenu, of 
ocairse, are a reiierabon of the justiBcabon for the imporuoce of 
operabooal level cooiainmem sets put in lerms of microprocessor 
coniroilerv 
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FISURE 1. £»R'!NEa’S L0C'> I’iSTPliaiON EXECUTION 


The loop ret is p r op os ed as a r»ndirl«»» for a conraioraeni kl 
.* uncg the set is in terms of loop programs, a 

coroplee investigaboo inro the ways in which these krops can be 
formed is necemuy. h will be abosvn that there are a vaneiy of 
program smxmrea which can support ta o gram kxgm. These struc- 
tures msy be either valid or ecroneous kxrps. 

Errooeoui Loops 

In additiem to valid loop programs, the of erTi 'aava is 

embedded loop programs has been mezaioimd. A transient bull 
can mure program execuboo to begin at any memocy Incinon. 
This can cause incorr ect execution of a valid loop program, if m o re 
than one valid kxip laogra m oasts, cz it can muse the cxemtinn of 
an ernvieaus loop program which it embedded in the applicaiioa 
program (program oasci). It therefore is approphare that a simple 
example of the existenre of such phenomena be given. Er roneo u s 
laogiam Icxips exist beriusr of mulbple byte irstruebooa and data 
storage, as shown in Fig. 1. If rgayution erroneausty begias at a 
dau location, the data will be interpreted as an op-rode, and execu- 
bon of cn e r roneexa loop program can Ivyn 



An example program for the Intel 808S S-bit CPU [4] is given 
in Hg. 2. The loop set |L} consists of one inirntinml loop, LQ, and 
two erroneous loops, LI uxl L2. The entire cooienis of the 2Sfr- 
byte ROM are shown. I'rom address 0000 to OOFF. Execubon of LO 
□ormally begins at address OOCA, where the 3E is the op-code for 
the MVI instruebon. LO coosixts of seven uKtruebom, and if exe- 
Cuban hegin* at the first byte of any of these instrucuoiK, execu- 
bou will remain in LO- These Mtlreuei are; 00C>, OOOC, n OTT, 
OODl, OOD2. (X3DS, and OOD6. If execuboo begins at OOCB, the 
data value C3 will be mierpreiod as a JMP incruebon. Tte result, 
thctufore, is the execution of the err o neous loop, LI. Execuuon at 
0003 also results in the execuboo of Icxip LL Execuben at OOCF 
produces a one instruebon loop, L2. If execuboo begirs at 
addresses 0000 through 00C9, > ^rh 00 will be iuerprciad as a NOP 
instruciioo, leading to loop LO. Similarly, addresses OOCD, and 
0008 through OOFE result in NOP’i. Ai^liea OODO is int erp reted 
as R5T L which sends control to the NOP block at the head of the 
program. At address 00D4 is fcxind the dau CH- This is not an 
Intel defined 8085 instrueuoo. It has hern fcxind, however, that 
upon execuboo of this op-code, an instruebon nllrit RSTV, resurt 
on overflow, results [5l Exeaition eiihcr conbnues or coobol 
passes to the top bicxbc of NOP'^ in either case the result is loop 
LO. At address 00D7, the CA is interpreted as JZ, so cooirol etther 
goes lo address 0000, rz to the trailing NOP'i. The last tneroory 
kxaticxi contains C7, interpreted as RST 0, which «enrti cootrol to 
address (X)00. The RESULT column of Fig. 2 shows svhich loop is 
reached if execuboo begins at each rnemory Uxation. In this exam- 
ple, there are only three rnemory Itxztions from which exeexmoo 
will result in an crrooecaus loop program. 
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These ctrooeous jLortp kx» are bm one type of lo^p pro- 
(raip. Aa will he seen later in this rectxxx other (ropara imc- 
Cuics permit other forms of both valkl and errotetjus loops. 


Huthwre Requirement* 

The set of loop p rop aro s has been proposed as a aontauaneni 
set for m c oprooessor coatroliert. Up to this point, it is not dear 
that this loop set ansfies the oonixiomeni set requiremenis: 
nameljr. that they form a ooroplete, finue. muiuallr cxduai'vc ret of 
all poisibie operational states. The ret of all p>»hif valid and 
ctTOODous loop programs is certainly munallr exduiive. However, 
it must be further shown that this ret is 6niie aix] that it is poasbie 
to determine each r^iemeat of the KL It is also necess ar y to show 
that the loop set describes all possible opetauonal stares of the ooo- 
troUer. There requitemenu will not m general be met by an 
unraodifiod m i aoprocesaor oootreUer. Horrever, it will be reen 
that it is possible to reiisly there requiiemcms through the 
modificanon of cypual mkioprooesKr oooiroUeia. 

The lealizanoo of a ooruroUer in which upreis can be chaiac- 
rerixed ai loop program transinoos requires thai looe sped&c. but 
not eacesanre or umasonaDle. anniaiiei Oe oengned into the 
lem- Rm of all, if {s o gr amt are puiiu nad to eaecure ham RAM, 
and since the ronienis of RAM on be changed at amr time both 
dtinng program operanon and by a iranareni Eutli, there would be a 
omrty infini te set of poasibie loop progrsms which could be exe- 
cuted from RAM. This is because m the Cise the RAM conients 
are the instrucsoni themsdre^ it is possihie for arty soquciar of 
Lnsiruc"jon* to be placed into RAM and executed, and the ret of 
loop p rop am s rmam of all passible loop programs which can be 
wnnen within the CPU iiKcrucnon ret. Therefore, it is aeoessary 
that the epptenon program be stored in the conotiller't ROM, and 
the progtam execution be fordbly resincied by hardware to that 
ROM- This JiOM reana sw r Agms w is rati i (rogram testnenoa, 
tuax this already is the case for raicroprcxEssor coruroUer designs. 
Since all of the valid loop programs are defitwri by the appliraiioo 
program, the ROM restriciion paranirfs that the set of valid locp 
prograrai — a aubret of the ootuainmeni ret — remains fixed during 
lysrem operanoa, as long as no pemiaaenl faults occiir- 

The set of eroneous loops raiisl be finue, fixed, aial deier- 
RMoabie. Doe to the ROM resmoion, only propam execution 
fiora the ROM need be mnsicieml Howciret, linoc small 
miaotrooesrer systems often use iocoropiete address decoding, in 
such esses the ROM can be amvated frm many addresrea other 
than ilte ones which are iniendcxl, creaung many images ol the 
ROM. In oemMi operpuon, this does not matter, cnee the control 
propam never icncb conooi out of the primary ROM address 
space. With ihe addition cf faults, it is pc&sbie for there images of 
the ROM to be acor!S.vBd. and the ROM resmoion will not prevem 
ihn occurrence. This can be permitted, but the complete set of 
addresses which can access the ROM must be knewm. In addiuoix 
the otxnplete ROM oonienis must be Itnown - there is usually 
unured storage spree wtu^ is not definxl. sod not necesary for 
fault-free program orxaanon. With a complete ROM spectficanoa 
the ret of etroneoua loop p i opams n fioiie. fixed, and determin- 
able. Therefore, since the ooiuainmeni set is Ihe unon of the veiid 
and errooDouf loop rets, and each is fiiaie. fixed, and determinable, 
the oitim loop set is Ante, fixed, and determinable. All thai 
remains to be shown to enndude thai the loop ret is a oontainmem 
ret IS tlAi it covers all possibie operanonJ stales. 

The loop ret d es cribes all poaaible opcmional states while the 
prtxesrer is executing mstrunains- However, there are suRs the 
CPU can emer which can halt the exscutioo of instrucuona. There 
atstes will vary frern proce s sor ic processor, tut for exainpie. will 
uBualJy indude the halted sant. Hence, any speoai fucction that is 
included in ■ prarsscx'i operauanai capatahues, and which can 
prevent normal propam cxecunoo. must be removed. If this is 
dote, then the loop ret becomes oompaat ( the CPU osoim remain 


in any stare nor in the loop rei), and qiadifies u a ootpainroem seu 

The .alduionid hardware, thea must indude the ROM execu- 
bon testnenoa and a gpsnni aat doocMr. The speoai stare detector 
lags enny into other prohibiud atatea. If a bad sate is rtnrwri, 
something must be dooe to 1 l A nonmasliable trap input 

can be used to force exit firara tfaere special aiaics, or a aanple ps- 
- reset may likewise be t red. Regsrdlesi of the implemeniaiioa 
de.xils, it should be apprecxied thsi together, the two additiotal 
t .ih. u,. sectiots have a onmpksiiiy oa the ooka of two to three 
: titrated orcuiia. 

h simaV be noted that with the addinoo of hardware to the 
comitxic' the lynetn is tnherenUy changed It is paaatble for the 
new hs.*dnare to create new stare* which can prevent propam 
operanoa. The hardware addiimoa muit be analyzed «nrt rnodified 
if oecesrery to vreiify that this is not the esse. 

With there lesiriciioas, the tao c es sor is gustameed to be exe- 
cuting instruaioas; those instnamoos sre guiranreed to be cou- 
taiired in ROM; the ROM sddrere space is ctxnpletely tWlwri- ■«< 
therefore, in the sresdy siare, the processor must be wawtiiing one 
of the programs in the Irxip set. so the loop set is a coroainreeni 
set. 

An aJiemaiive to derermiouig all poreible entxreous locvpa is 
to prevreni their execution with hardware. This can be Am- with 
the addition of what will be called a SAfE BOH. The SAFE ROM 
is a I-bii wide memory, with the same number of locanaoa as the 
main ROM (where the cocnrol pr ogt a m is nr txl). The smgle nidi- 
uoiad bit is used to rfisiingiiixh betwreen valid aixi wi m wxix 
instmojon fetchea. The first byre of multiple byre insnucxioat is 
marked as valid; all ocha kxationa — data, addresses, and Icxikup 
tables - are marked as emureexB. The ROM lestnci hardware 
mus then verify through the SAFE ROM that a valid instructxm is 
being feuhed. If noc. a trap inremipt or a leret must be issued. 
SAFE ROM hardware supplies the option of tradiDg off hatdsiaie 
for the additiooal complex program analysis ireeded to &. tErmine 
the errooeaus loop ret. The SAIE ROM performs the funcuoo of 
Umiiing the capabAUts of the operating software, used here ai a 
lower hvel than as first defiired in [6]. 


Pmgtaai Straetmies 

The problem remains of fiixling all potisibie valid and errooe- 
ous loops, given complere ROM cooienu «nd ROM address 
specificaLioa This problem will be anacked by finding aU frofvn 
mrueturri which can passtbly result in a loop. MKropmcEssors exe- 
cute instructions in aequenoe. until an eveta intervenes to divert 
the path of the program. The search fex all loop propam structures 
will center oo the ooixrept of a path diverter. A pah dh/trter is 
defined as any event or condiixio which can divert program flow 
from the ncrmal incrcmenitng address sequence. Path diverters 
may either be hardware or software based 


Hardware Path Diverters 

For acxtiracy and compleieireaa. the foL rwing will be ics- 
iricted to the 8085 C7U. Similar, if not ideni cal, analysts can be 
dorx: for other microprooerscrs. 

For the 8085, the following hardware features can divert pro- 
gram flowr dock siotx halt, ready, hold, and tmemipts. The dock 
osarvior raiin be such that it UDcnadiiionally ~hllr'«r« This is an 
often overlooked but very important issue in any microprocesaar 
dcsjgtk but it is pamcularty agnificani for fault lolerantje- For- 
tunately, this iiouroe of path diversoo can be avoided amply 
stnngcmly adhering in ihe manufretuier's ipenfkanotK. Penphtral 
OTcuitry which uiilirEi the hold or ready inputs must be configimd 
such that a react pulse assures nexmai operanoa lesumes should 
some unplanned lockout taioe effect. (Such as a poor bus arbira- 
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Don Kimie which would gisiu the but to nciLheT device if IM> 
(fcvket mn»nl fer the bus >i the nrne ume.) This is DormtUr 
tuurnsiK. If it is vKumed ihu the haidwuc addltuaBt from he 
previous secdoo sre incorpcmed (tpeasl stsie and tad fetch deiec- 
un, ^ pouibb' a ROM), then proftarn fetches are 

fuanmeed to oons within a tpeofied period of time; or a reset 
occur t. Therefore, halt. hold, and ready features cannot sop the 
pro$imtu aecuhoQ in the seedy stare. 

This kcitves interrupts to be considered. Normally, when an 
inerrupt occurs, an imeintpi service routine is exeewed, and pro. 
gram flow letums to the imerruprod (rogram. When this happens, 
the (rogrtm path has been dnerred. but only in one sense, for the 
pro gram flow eventually returns to the place at which the internet 
occurred, contin uing the original path- A normal interrupt 
y yicncc need oot be ccaidexed a path diverter for the purpoaea of 
loop anabrsta, any progiam loop which mmmirK « Dcrmal 

inicrrupt «c«ficnf». will still be a program loop withotB the interrupt 
lequenm. Therefore, the IxnetTupt reqireoce must he 'notimT in 
L>K sense thti the iiueirupt service rouune mus ren<riL The ser- 
vice routine is s sulroutiBe. which also am be called from within 
the progtstn, s> with the imriifq»nrfinf that h will he tnrmirirj ed a 
sifarouuire, «nd that subroutmes will be handled in the reciioa on 
loftware path diverters, this hardwire path diverter can be by paared 
— with ooe exorptiotL A fisiher requiraDeni of an interrupt ser- 
-vee sufarautioe is that it csrruifs in less dme than the time 
between successive intrrrupts. In a p ro p erly operating jaugiaffl, 
this will aiviays be the case. However, in soroe special cares, addi- 
dooal piovisiooB must be made to enforce this. If the device which 
is the rouree of the interrupts is a programmable peripheiai device 
which has modes of operanon which can aliom the iraerrupt interval 
to deaeare "nficc progtam oonmil (and therefore poasibiy as a 
result of a transjcni fault) steps must be taicen to ensure that the 
interrupt imerval is restored after each inierrupt. An example of 
this would be a progiammable divider driving an interrupt inpuL 
Shoukl the programmable divvde ratio be chmged such that the 
penod between mierrupts b ecorocs less than the service routine 
execution ame, then as soon as the iniearupt routine exits, another 
interrupt will imroediately occur. This causes a progtam loop. In 
such a fc, if wiUun me inierrupi service rouune the divide ratio 
of the programmable divider is reunbalired lo the proper value, 
then this inierrupt loop on never occur in the sieady viare. 

For the enre of external sources of interrupts, the hanlware 
should be examined to verify that no modes of operauen exist 
which can cau* the period between inierrup's to decr^:** below 
that of the interrupt service routine execution tixiie. 


Software Path Diverters 

Eiomimiioo of the instrucuon set of the miaoprocesscr of 
inrercs gives the instructions which can divert nornial program 
flow. A pr o b i em exisu with undefined op-codes. Tvre optians may 
be eirplored with the* op-codcs- A SAFE ROM may be iri l i re d. 
aisunng ihai only valid LDSirucnan fetches are made, which would 
newx include undefined op-cedes. Aliernauvely, the undefined 
op-codes can be df-fiinxl by the urer. For the 8085, all op-cxxles oot 
defined by the manufaourcr have stnee been defiiaxl by others. 
Invesugauon has shown that there “unetfinecT op-oodcs may reli- 
ably he employed (5 1. Therefore, the SAFE ROM approach rend 
not be i>wvl with that CPU. 

In the 8085, the lofrware path diverter imtnicncjns are <n the 
ioOowing caiegorEs: Jump, call and return. The jump category 
indudes the uncanliuonil IMP. and the ten coixliiioaal jumps 
(indudiog the “undefined* yimps). The ipcaa] instnicuon PCHL 
(jump to the address speofied by the HL regisier) is also in the 
jump caicgcry. The call category indudes the unconditional CALL, 
anl ilK oglu condiuonaJ adli. The nihe RST (resujx usually used 
for interrupts, but remcomes used in piece of CALL) instAicucoi 
(lEduding hinrVfin rfT RSTV — restaii on overflow) are singje byte 


calls, and are alwv in that category. The retuih caiegory rn»wiet« of 
the uncondiDooBl RET (reniro ftm subroutine), atil the eight 
oondiuonal returns, a program siructuni analysis cearring oo 
these path diverters follows. 


Program Siruaural Aaaiyxia 

The assumption iltat the prooesaor eonunousty executes 
instruct inm is satisfied through hardware requircxiienis- Th ere fore, 
in the sieady stare, a progtam loop must exisL More precisely, this 
impilies that there exists at least one address fTwiuining an instruc- 
tion such that program flow eventually returns to this addreu after 
execuiioo of this instructioa. It is desired to determine all 
progivn structures which on permit suefi a loop to exist. There 
will be found by rortotWing the four loop pruam types comaining 
the various path divenetv 

Type I — Loops Conttining Returns 

This loop lypx comains a path diverter of the return category. 
As shown in Fig. 3, there is a body of code lewiing to a return 
instruction, which men reals propair flow back to the beginning 
of lire preceding body of rode. The return instruenoas divert pro- 
gram flow by changing t)ie program couiuer to an addiesa found at 
the top of the st a rk; therefore, the suck pwiiuer plays an important 
role in the path aeleaion Type I loopa will be divided imn (A) 
there which leave the stack pcinter unchanged bciween loop iieta- 
tiotB, and (B) Uvore which caure the stack poinrer to be changed 
between loop iterations. 

Considering first the loop type lA, it shoild be noied that the 
executioo of return instruenoas inoeaaes the poiiuer by two. 
In order for there to be no net c ige in the stack pointer in one 
loop iieration. tt u t heref ore necessary for eiefaer the sack pointer 
to be decreased ^ two in Che body of code ffvxxiing the return 
insotidioo, or for live stack pointer to be imi«liTrrf at least once per 
loop. Those loops which load the stack poinier ire as Qipe 

lAL There are oaly two iistrucuoos which can load the stack 
pointer. LXl SP, and SPHL. It is evident that for loop type lAl to 
exist, smiaure CT* lAl, shown bworath loop type lAl in Fig. 3, 
must exist. 

Co nsrlcT ing irext loop types lA which reduce the stack poinicr 
by two poor to the return instruction, there are three ways this can 
occur. All PUSH inrructioos decrement the stack pointer twice, so 
loop type IA2 results. Siiucture type IA2 must exist for loop type 
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IA2 u> aosL The suck poinier may diiectly be deoememed nnce, 
resuluct in loop Qrpe IA3. Sinnun lype lAj is oeceanfr for ihe 
exisiciioe of ihis loop type. 

Rv eacii instrurmoo in the call category, the stack poinier is 
decr em eiiied by two. inop type IA4 results, for which siruauic 
type 1A4 mutt cxtsu It rhould be obvious that this structure is thai 
of a siandanl sutsoutiae. 

Loop type IA4 can be furtner dthded into those in which (a) 
return is as ecpected. aial those in which (b) return is inccnect- 
For the first type (IA4a). the call to subroutine X is not iKoessaiy 
to form the Icxip. E\«n if the TIALL X* instruction is bypaasad, 
the kxip still exists, since upon a ncanial suhrotiiiiK leium execu- 
tion fmnimirx at the ustrucuon after the “CALL X* instructkaL 
Hence, this return insiructioa is not diverting program Sow, h is 
not the soune of the locp. The loop structure remaining when the 
1CALL X" is lemcjved must itself be one of the loop types cstegor- 
iwri which doa not the specific rerum tnsinictiao being 

oonsiderecL For this reasoa in the search for all loop siruautes, 
type TA4a need not be o o ns id r jed. 

Loop type lA4b is such that the return is not to the ocxrect 
irraii mv This can happen fcr two tcascaK: (I) the stack poinier 
Ar-s not pctnt to or (2) tbo s t st rS . * d rat s taxtn to 

RAM. but the oonKnts of that RAM addressed by the stack pouter 
— the stack — is modified berwen the ongual *CALL X* and 
the return siaiemetu. Subroulinei which modify eiiher the sock 
Sfaoe cr the stack pointa in such a way that return is ncx to the 
instructon after the call will be riassifirtl as anfwvptr aubnuines. 

To simplify the acarch fcr kxip types lA, the role of call 
category instrucucxis encounieied in the segments of code listed as 
■BODY" roust he coosideied. If the CALL leads to a code segment 
which coniiins a recum category insiruajon, this falls under Icxip 
type IA4^ If the CALL leads to a ccxIe segmeru which does not 
fTimsin a return, then this subroutine is also da ss ifi e d as an 
impro p er sulxouune. lie n e e . f<» the conside'acioo of *HODY.' call 
iostructxMB may be igroretL since their existenm tan cxity lead to a 
struciun. already coverecL or to an improper iMibrouuiK. 

In summary, then, for a loop of form lA u> exist, one ot the 
ftrucnxua lAl, lAZ, IA3, lA4bl. or an imtxoper subroutiiK must 
also exist. 

Loop programs of form IB eomain a return caiegnry iistruc- 
tiocu aid mrdify the stack pointer each iieracoru These Icops will 
cause the stack pointer to tratenc. the enure address space. As an 
aid to the discussion of type IB loops, the STACK WALL is 
defined. 

Let ig be the largest posiiise value within a body of cxdc ikx 
coniatning a struemraJ Icxip by which the stack pfani e r can be 
i v< i n i M nirrt and L, the largesz by which the stack pointer ean be 
iooemenied. Let H’'“l-hmax(/^— 2.i,+2). The ST/iCX IVaLL a»- 
stsis of a contiguous block of memory locations of length W, such 
that for arty consecutive pair of bytes within that bicxk, an addiest 
ia formed which is guaianiood ncx tn he within a type fH loop. 

Each iteration of a type IH loop changes the stack r -nief by 
SP’^F^K, where If a STACK WALL 

exists, then any type IB loop must cither coniain a structural lotxi 
(perrauung the stack ponier to be changed out of the limits set by 
K) 'v evemuallv came the stack pouuer to address locaunos 
entirely oontairied within the STACK WALl- When this occun, 
the return rddaesr will be fetched from wuhin the STACK WALL, 
and trograro flow will exit the potenuaJ type IB loop cffecuvely 
breatlang the locp. 

In summary, given the existence of a STACK WALL, type IB 
loops cannor exist in the steady n a ir , or are covered by another 
type of loop struaure. 


Type n — Loops Cooiaining C»ik 

Type n loops eomain call caiegory path diveneia. If the sub- 
routine called IbnIs to a return type inctrucuoo. it will be c t ne r e d 
as a type I loop. Therefore, ooty calls to subroutmes not leading to 
returns need he considered. If the call does not ii-wt to a rentm. it 
must lead to a loop if that loop does not contain the original call 
iiBtnKiion. it is not a type II loop If the subroutine leads to the 
call instruciioa, it will be as an improp er subsoutine. 

Therefore, the exdience of type II kxips is d e pe n dem upon the 
rxistrnce of an improp er subroutioe. 

Type m — Loops Containing Jumps 

Type m loops cotKain jump category path divenert. Such 
potential loops containing return instruciioia nerd not be ooo- 
sidered, as they are covered as type I loops. Calk can be byp xmd 
in a search for type III loops, sim if they aa as path divenera, 
they will be covered as type 1 II loops. Tberefoce, type ITI loops 
coDsist of simple branching struaures. aid the loop ioclf is con- 
sidered a program siructuie. 

Type r*' - Loops Wihoui Path Diveners 

Type TV loops contain no path divertets. Actually, there is 
only OIK possible type TV loop, and it loops by aoceaiing each 
menxry location in the Mress space. This can only occur if the 
enure ROM oontiins no path diverters at tU (the p r ogram counter 
eventually overflows back to the start of the ROM); this never 
occurs in actual practice. 

In summary, with the existence of a STACK WALL, and the 
Lack of improper subroutines, arty program loop roust be of types 
lAl, lAx, IA3, lA4bl, or IIT. Figure 3 depicts all of these loop 
types. An improper subnxnme modifies its return address or does 
not lead to a letum staiemeiu. This can occur if it ooaubns an 
iniemai loop, or calls another iiubroutine which calls the improper 
sulxouiine. 

This program structural analym will h: the basis for the 
design of fault tolerant cooiroliers developed in the next secuotu 


Faalt Tolerant CoatraUer lapleHcntatiaD 

Upset theory applied to the 8C85 CPU will now be used to 
produce a ikw rirsign approach for tianrornr fault teicrant amiroU- 
ers. The detailed progranv sminural analysis plays an iniegral pan 
in the impkmcniatioo metnod. Design rule; - both hardware acd 
software — will be supipitod. such that a cnntrolle. so coostruned 
can be shown to have no steady sute loop siructuics which are irx 
designrd-in, and those loop structures which are desigred-in can 
recover from tiarsieni faults. This implemeniaiion produces a oorv 
troller which is aroM-fnxtf, wnere erash is coosideied to be any 
siiuatioa which causes the processor to permaneuUy cetse execu- 
tion of >is inicnied functioo. 

In order to provide a base from wiiich to evolve this design 
approach, and to test its pcacucaliiy, an expenroemai system was 
deve'oped. This system also served as a testbed with which to 
assess the difficulty or ease of the appilicaiiori of this apiproach, aid 
provided an indicxiicn of the number ard types of erroneous loop» 
which could be found in real systems. 

IVsIgB Rales 

The design rules .'or tramem fault tolcraiKe cover both 
hardware and software aspects of the cooiroUer. li will be seen that 
for a large number of tpjplicaiicns these additioiad rcquircmcnis are 
not overly resurctive. 
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The CTU mutt uncaodiuacmLy execuie insrucuoat. This is 
achieved wuh the addition of special state and bad fetch detectors. 
Profxarn cxecuuoo must be restnetsd so that the insmictions resale 
in ROM. As an optioo, profrani execuuon can be checked with the 
vklitioo of a SAFE ROM. 

Greuits which satisfy the requireroenis irapcaed bjr these 
hanfwtre design rules have been >.Vweioped for the 808S. and only 
two inexpensive miegiated orcuii parkiys need be added to a 
aiandard •l«ig n not considering Caulia. If a SAFE ROM is finher 
desired, then that ROM incicBacs the addiUonal chip coun to 
three. 


Sofmeic 

The applicaiioo pro gtam must be wnooen such ihsi prtagr a m 
snuaures lAl. IA2, and IA3 arc dm used. This is becaiae the 
stack patuBi is r>f necessuy in RAM. and these structures on lesd 
to loops dependent upon the rnrarma of the RAM area used as 
stack these loops cannM oiheraise be peeveraed. This 

requirement is not pvticuUrty rettnaive, ahih rhe pnasible euep- 
boo of lAX SorDciimes, when s program variable junp is requited, 
the following instruoion sequetas is used: PUSH H, RET. This is 
smxturc lAZ This structure can b; permiOBd if the HL register is 
ch ecked afier the PUSH and before the RET to verify that it 000 - 
tains a valid ddress. and that jumps to that raldress canmi lead to 
an unknown loop. In most cases, this sirucnire can be leplaoed by 
ft&ms fli^ 

A speaal cue xype HT lOops U ihu of ihe ?CHL inKnx- 
lion. This mstrucuon must dm be used, for it is possible for the 
HL rcgisier to contain the addres of the PCHL insmahon; if this 
occurs, ihrn a loop results invoiviog only ore initructinn, aral there 
is no poBsible way to venfy that thi: cantaa occur. Hm^ver, the 
PCHL instruoion performs precisely the same funcooo as the 
PUSH H. RET sequence, and may be replaced with the sequrnfr 
described above. 

A STACK wall must be indurtrd. A simple way to handle 
this is to leave ail unused memory locauons in the program store 
ROM either 00 or FF. In the first case, any return address 
reirevod from the STACK WALL will cause execution to begin at 
address 0000. This is the reset location, aixl by dcfiniuan. must 
brcL: any type IR loop. If the STACK WALL contains FF’s, exe- 
cuuoo will begin at address FFFF, and if this address dex^ ixx 
sccess the ROM, ihe ROM resinn hardware will force a reset, also 
breaking any type IR loop. 

Improper sulrouunes roust not be peirnined. The return 
address roust remain mtacL Subrouunes must not directly modify 
the stack poiiuer or stack space. In order to guarantee the lanci, 
wherever a m e m ory su^ instruciion uses a variable address in a 
reguier for the store kxauoa that rcgistci mua he checked to ver- 
ify that It IS not wnhin the stack spare. A subrouune must not call 
itself. InietTUpt servis rcaitines are treated as subrounoes. 

To eliminite lA4bI loops, returns fixm subrouunes must ver- 
ify that the stack pointer a pemurat to stark spare in RAM. 
Instead of perfenmey a return tnsrucuaD. a jump must be made to 
a special reium routine. This rouunc checks the stack pousrt, aikl 
if it IS a vald ackfress, a renim is executed. If an invalid address ts 
foursL the stack pointer must he leloadecL and a program restart 
mwfc. This reitnaion is perhaps the moat limiung. since it 
uxreases the execution time agnificanUy for return siaiemenis. 
Si I II , there are a luge number of tppliMtioRS where the CPU is nos 
rutuarv rear its limit of speed, and for these applicaUocH. this 
roquuenieni would rex tau« a jxoblem EUmiiMtinf ail returns 
exrept the oce tn the RET routine icmcnrei any posability for loop 
type lAkbl aioocia. 


ur;gii-v':-;5. 

OF POOR quality 

A.'' poastble type HI loop stmciures ihouk) he examined. 
LdOv* which are intended to be te mp or a ry must he u> 

ensure that under all circumstances, they are lemponry. This >wn 
aia«ys be aammplished wuh the addiuoa of a loop counts, if 
aeoessary. An exara’^ of a subrouune whrt ongumlly is ixit fault 
lokrani, and iu modified wmoc, is shown in Hg. 4. The 
unmodified ve«ic» tan form an eixUeis loop if itmui vanabtei are 
invalid- t^ierminanon of the maximum cxecuboo lime before exit 
for each loop can provide an upper bound for the overall upaet 
recovery liinc. 
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All iTitcTUionai sready stale loops must guarantee all operating 
assumptions. This can be accoroplishod by calling a check routine 
from each of these loops. The check routine should guaianiee that 
all I/O devires are tTogrunmed prop er ly, inierrupis are ciahlod and 
unmasked (if used), and any assumpuons that the irogram makes 
on vanabies for proper operauon are fulfilled. 

Exit must be guarameed from all posuble iniemipts. Unused 
vectored iniemipis should jump to the start of the progiam. Inier- 
nipts vhich are generated frern a programmable divider must 
assure the iniegnty of the divide rano within the inteiTupt scrvioe 
routine. 

The preceding software requdremenis must be met, consider- 
ing both valid and erroneous loops if a SAFE ROM is ix>i uwrl 
The appearance of any banned structure as a poruoo of an errone- 
ous loop usiwlty results froro specific address values being inier- 
preied is op-oodcs. Erroneous calls to erroneous subroutines must 
be invesugated to ’renfy that that erroneous subroutine is om an 
improper luhrtanine; if it is, it must other be changed, ca the 
erroneous call removed. To remove erroneous structures, the pro- 
gram should be shifted one byte at a time, until • shifted veraion 
results in no ertooeous loop structures- There is no guarantee that 
this u possible, however, programs of length IK to 2K shcxild pose 
no real difficulty. Fre large programs, a SAFE ROM ts protobly 
desirable. 

Table I siimmannis these iransem fault loleran software 
design rules. These software requtremetus may sppear difficult to 
employ. Ixti wuh appropriate software axis the problem is greatly 
alleviated- 
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TABLE 1 

OuA-Ptm# BWTwv DwkgB B>k« l^mmmrr 

1. f mtiiw i — nmnw fWmi BAM li pR>hM«d. 

2 - CkA fiova i«nnwwry loops final bi fuararassd. 

3. flptMi bops fmm induds t od so ■ dmA •iteswum Midi fuooaass tfl 
sounpKjom tho ppj^j w h tpqMni for cmtirmod p— nwioii> Cnoa induris 
asnmpuom on 1/CX tnomm» ^ 

4. Rpoira from sB tioiP>ils tnovrupti niup bs fkMr%nosd. 

5- Sobiou o nps mtmoi i bapo h ips. 

6- lubrooihob ctram modify ibp took potma or Om rpom sddrpM. 

7. Wkbm pibuuums. msmorr Moss monacoom «bieb pmmH a lortsbls siorp 
sd^sa musi fuosnM Om dip rspiw losd As Oa iibtipw pptfpsr SPnaoi 

SDCTP ID IBP mA PSHP. 

%. biMPd o/ upw BET or ftCN npCTUctJonp 1 iM? or JCN ID t poopi rpoint 
PHranp Midi gupisiDsui tfipi ibp tocA poimpr poinu spithin ilie tPsA «pdb 
bt/oip MfivTSfp mup bs ussd. (Tbs nsura lomms cor ppt ns tbp oidr BET 
tTwnKHOB hi ibp pmvp p r opj oO 

9- ASTACKWAJU-mintbaaddid. (Un«anuMiRGM«waoODorFFJ 

10. T)w RCHL invnKUon<anno< b* uMd- 

H. oum • SAt-L RUM must bp vr<. or ta pnonsom bOM STd prrtmnous 
cpBs pdibpapt Midc «bp» conolsrsd o bs pabmiPiinpi. do tim oidy 
ptibsr Bob L '7. or I musi bp ronoipd. 


Sofrwire Tools 

Two programs v>«rc wrinen so ease she implernemaijofl of the 
software requuenems for fault loferuce: SAFE, aod LOOP. The 
SAFE pfogram accepts as input assembly Unguagr source code (a 
text file). It determines which memory locauoos comain the first 
byte for eac± lostriKiion. This output can be laad directly as the 
SAFE ROM coruenis. It is also used as input to the program 
LOOP. 

LOOP is a tool used to locate program structures (det^oped 
in aectioo Uuee) which can lead to loops. It accepts as input obj» 
code fcT the application progreo of inieresi, and opuonalty a safe 
file generated by SAFE. The latter is used to perrmi clajsi&caiiao 
between valid and erroneous instructions. 

While conducting a search for a spectfiod request. LOOP 
spans all possible trees creamd by conditiorai bmiches. In the loop 
search mode, it lists all type lAl, 1A2. lAJ. and TTI structures. 
Some of the structures ate valid, and tome are ctraneous. The 
valid type TTI suucturea must then he \cnfird to ensure that Ox* 
loops noc uuended as steady suie loops have an urxxmdiuonal 
escape mechanism. There should not be any valid ore I structures. 
The crronecajs structures of all .ypes must he rernoseal 

LOOP can he oommanded to Usi ail subrouunc calls. This is 
used to search for arorcoua calls. Each erroneous call fouixl must 
be cTwsdced: if i. leads to an address noi coniairEd in ROM. nothing 
need be done (the hardware wrll haradle it); otherwise, ihai errooe- 
oau fubrouiine mus be checloBd to determine if it is an rnproper 
lutiouune, in which case, euhtx the erroneous all cr ihe errone- 
ous subrouune roust be chan^d. As an aid fa the v«nfiation of 
rxroncxxis subrouunes. a dimssembler opuon is induded in LOOP 

A sarch can he made f« all memory store instruruorB whch 
uuiiie variable store UxaiinrR This is used to t«rify that the pro- 
gramroer haa aughi all such mstruruona lo tutaxaiurca. ara) has 
taken siepa lotlimirmie type lAShJ structures. 

With the imeractiMe use of the loop search program, the pro- 
grammer an cflecnvefy and effioemly poxiuce a modihod applxa- 
uon program to arhteve fault tosennee 


Ftah Tolerant Cantrallar Test Sysiea 

The iMi lysiem ia lelf-coniamnd and mnaitis of rwo 
microproceMa cootrollert, power suppliea, and a fault source. It 
was used to tcrify the viability of the deagn rules developed fa 
fiutJi lotoMoi contmllof itnplemetiiairoik Meastaexiieflis of progtara 
executioQ wens taten with a logic analyzer and an oeciUoeoope. 

A ntasy power supply sas chosen as a reasoaibly realistic 
fsuli sounz sehich can be cooiroUed in the labcniory envuorsiiers. 
The testbed oonirolkn are SOBS based and utilise a total of tut 
standard imegraied circuits, exclusive of the addiuonal hardware 
(rwo or three integrated amuta). The coatroUer function is to reed 
the input switches and wme appcopriaie displays to the output 
lamps. 

Oash-proof versiaos of the angtnal control program sm ete siri' 
ten and exerased in the fcsi system. No permaaeiu program 
crashes were observed. 


CoDclnteM 

Desgn rules have been developed for microprocessor ooo- 
traUers to provide loleram to traixueni fiiults at a furvmnnal level. 
It has been paoven that adherciue to these rules will produce a 
crash-proof cocuroUer ail possibie program loops are known, euh 
corresponds to a valid rocxle of operaboo, aivl conn rural prooeasot 
execuuon is assured. To acocxnpliih this end, a very small number 
of addiuooaJ coroponetus are requued and the moease in sofrwaie 
complexity is low. The testbed coniroMers required from 8 to 14 
percent uictcaaL- in program slk to satisfy the sofrwsre design mica 
This aptxoach to fault loterancc without the tae of massive redun- 
dancy must be viewed in the proper perspective. It is not iniended 
as a replaoemcni for high reliability dau inicnsve applicaucia, 
which would mnnally require duplication cr tnplicauon of 
hardware, h is, however, applicable to the much larger da& of syv 
aems wdtirh do not have such aevere requitemenu, but which can 
greaUy benefit from a guaraniBe that the system will cnnimue to 
Optra 1 C m the long larm. Poundi on recovery tune can be found 
through loop analysis, aixl this can be lowered if desired with the 
addiuen of a waxhdog oroer activated (7 the check routine. 

Testbrd Resalts 

Ccxpplete adhererxx with the design rules produces s louUy 
crash-proof controller. The questions are somcuires raised as to 
how jTCvaicnt various loop structures are in the software, and how 
ofxn a conirollcr will be dnven to these loops. With reprd 10 the 
first quesuon. after loop analysis of approximately a dozen program 
versions, the presence of erroneous Icxjp souctixes was obaerved m 
many of them. Moa of the observed erroneous suuaures were of 
the Slack vaneues. Oi* version conrained a PCHL instruction, and 
another i jump Icxjp. The answer to the first quesocn is that these 
erroneous structures arc quix common, though it is passible 10 find 
program versions which arc free of such structures. 

To respond to the recond quesuon. it first must be noted that 
1 mplc imuitioo corxEmng the likelihood of various loops is not ai 
al reliable. Transiiiona into erroneous .oop programs which sre 
• .uuiuvely highly unlikely were obBcrveC. 

The tea oontroUets we re run with vanous oomixnauons of 
hardware and software- It sums found that the removal of either the 
halt dciea cr ROM resirxrt mechanisms caused some mode of pro- 
gram crash Unrrxxlified progium veraons were otwerved to crash 
with the hardwiare lestncuona ul place. Therefore, 11 has hoco 
found that pxactioal System' .quire both the hardware ard the 
sofiware roodificauona that have been sho«m theoretuxlJy in he 
mesaary 
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CmbpsHmb with the Wtefadi TImt 

Probibly the tirnpkefi mud mamt prevmlem exiermJ hmidwmie 
addiuoo used for ItuU detecucxi is m w a xhio t tmr> In norrmi 
opermuon, the microprooessar penodiemliy pulses the exiexml uroer. 
The softwmre is wnnea such that the processor is |pft»niiw«i to 
pulse the brner facfoie s specified ornc dmpses. The tiroer is 
letnuersbie. so that under ncrmal opermnoo it nrwer Dmes ouu 
Should the prooesscr fsil to iri((er the wmichdof within the mlloiiod 
orae pened, the uiner iniumtes reooveiy mcuort, which osn be as 
simple as reseionc the processor, or as ocnplex as r«iHn| a test 
prognm whici thourouchJy exerases the eruire system and lofS the 
results. Watchdog timers are discussed in [7L an impkmeniauoa 
can be found in 181, and discussion of the cffecuveness of waichdof 
omen can be foutil in (9,10L 

The oDoiaiiSTieni approach must be cort pared with the waich- 
do| timer technique, which is also used to present crashes in the 
long term. The watchdog lirner has been found to be effective in 
mtJV appltcBQons - howerer, d suffers fnxo a maiar drawback: 
typially, it is not provabty co m plet e . When used, there is no 
ssmranrr that there dots ia>t exist kxdc loop prognun which can 
trigger the watchdog, yet ooi maintain correa syBcm funcoarang. 
The lechniquea developed in thia r esea rch can be used to validate 
such watchdog itmer apiraches to lakranoe. However, without 
the ROM resiricuoa, no luch validanon can occur, «rnw there is 
aJKwys the possibibiy th>t; s loop can be set up in RAM. acuvauQg 
the omer. and not p&ffarming the system funaiao. With a loop 
analysis, and a ROM resmciioo mechanism, then, the watchdog 
timer tecduuque can be validaied. Each possible loop structure need 
only be inspected to verify that cttoieous loops do nrx trigger the 
nmer. This approach ures the same number of pans as does the 
ctxnainmeiu suaicfy: the ROM resmet mechanism, and a retngger- 
able timer. The only advantage of u«ng these new tools to vaiidaie 
a watchdog timer approach axiLiid be to siroplify the software 
changes. These software changes have been shown to be relativciy 
easy to aduese with troaU coatrolicrs. A cembmed loop 
analysis/ watchdog tuner approach could be useful for larger syv 
lems. In a wow., the wmudidog approach can be seen to be a subaei 
of the coatauanem approach. 

Watchdog timers typically operate with a Icog nme tmerval. 
As a result, they reset the system relatrvely long after the system 
has dashed. The sirxn coniairnKni approach reacts much faster 
than the watchdog apprtach, since the only timer (feich dereci/halt 
resuia) is oo the order of t sngle UKirucuoo nme. This shorter 
timer period, and the iramoiiaie response '.o an erroneous fetch 
cause these hardware fcrced resets to respond much quKdrer m a 
fault than would a watchdog umcr arxl can have the dHea of resicr, 
log system operauon befexe cnxn can propagax as far as with a 
watchdog approach. 

In summary, the watchdog timer approach to iiamiei.. fault 
•■'Veranoc is vwwred as incomplete ui itself, but useful as an opunn 
to be irKorptxaiod wiihin ihe cnntainmeni method. 
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